Report: ‘Failure of OPM’s leadership’ led to historic data breaches

Share

A 2014 data breach at the Office of Personnel Management was the result of failed leadership and consistent cybersecurity ignorance, according to an investigative report released Wednesday by members of the House Committee on Oversight and Government Reform.

“The long-standing failure of OPM’s leadership to implement basic cyber hygiene, such as maintaining current authorities to operate and employing strong multi-factor authentication, despite years of warnings from the inspector general, represents a failure of culture and leadership, not technology,” states the report.

By disregarding warnings shared by the inspector general as far back as 2005, former Chief Information Officer Donna Seymour and Director Katherine Archuleta put the personal information of more than 20 million citizens at risk, Oversight chairman Rep. Jason Chaffetz, R-Utah, said during a Wednesday appearance at D.C.-based think tank, the American Enterprise Institute.

Across the federal government, cybersecurity is an area where agencies are generally lacking the tools and personnel necessary to properly defend themselves, said Chaffetz, who also took the opportunity to rail against the Department of Education for its apparent lack of defenses.

“The government of the United States of America has never before been more vulnerable to cyberattacks,” the 241-page report reads.

The exhaustive report serves two purposes, according to Chaffetz: to provide a more comprehensive picture of what happened at OPM and a warning to federal CIOs at other agencies regarding poor security practices.

Though the report strays from direct attribution, a series of intrusions from April 2014 to May 2015 appear linked to two Chinese government-sponsored groups, named the Axiom Group and Deep Panda.

The earliest known data breach at OPM came in November 2013, the report found, but it was not detected for years until a private cybersecurity firm was brought in to run digital forensics, the report notes. And before that, malware was found to be lurking on the organization’s data infrastructure dating back to 2012, according to the Department of Homeland Security’s U.S. Computer Emergency Readiness Team.

Broadly, a delay in breach detection at OPM led to future intrusions and further damage to the office’s systems, the report found.

A rebuttal by House Oversight Committee democrats, also published Wednesday, seeks to lay some of the blame largely levied at former OPM leadership onto a cohort of federal contractors. One such OPM contractor, KeyPoint, has been the target of criticism from Rep. Elijah Cummings, D-Md. The investigative and risk mitigation services company reportedly stored important OPM system credentials improperly, which allowed hackers to separately steal information.

Oversight Republicans are also using the report to, among others, bring attention to standing House legislation, including H.R. 451, H.R. 4361 and S. 2975.

H.R. 451, otherwise known as the Safe and Secure Federal Websites Act of 2015, would require agency CIOs to review and certify the security behind government websites that handle sensitive personal information before they become publicly accessible. The latter bills give agency officials privileges to ignore union-based collectively bargaining requirements in the process of securing networks more quickly.